OSV - Open Source Vulnerabilities

CVE-2026-49220

github.com/jellyfin/jellyfin

Jellyfin: Potential XSS in user management

yesterday

Fix available
Severity - 5.7 (Medium)

CVE-2026-48793

github.com/jellyfin/jellyfin

Jellyfin: Potential FFmpeg argument injection via unescaped subtitle file path

yesterday

Fix available
Severity - 8.8 (High)

CVE-2026-49246

github.com/jellyfin/jellyfin

Jellyfin: Potential MKV attachment filename path traversal to RCE

yesterday

Fix available
Severity - 1.7 (Low)

CVE-2026-49247

github.com/jellyfin/jellyfin

Jellyfin: Potential Authenticated path traversal in /ClientLog/Document

yesterday

Fix available
Severity - 8.8 (High)

CVE-2026-53943

github.com/tryghost/ghost

Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header

yesterday

Fix available
Severity - 9.6 (Critical)

CVE-2026-53944

github.com/tryghost/ghost

Ghost: Private IP filtering bypass to make server-side requests to internal services

yesterday

Fix available
Severity - 5.8 (Medium)

CVE-2026-53945

github.com/tryghost/ghost

Ghost: Server-side request forgery via DNS rebinding in external request handling

yesterday

Fix available
Severity - 4.0 (Medium)

CVE-2026-53946

github.com/tryghost/ghost

Ghost: Mobiledoc image-size fetch SSRF

yesterday

Fix available
Severity - 5.4 (Medium)

CVE-2026-53947

github.com/tryghost/ghost

Ghost: Member existence leak via magic link sign-in response

yesterday

Fix available
Severity - 5.3 (Medium)

CVE-2026-53948

github.com/tryghost/ghost

Ghost: File Upload Content-Type Spoofing

yesterday

Fix available
Severity - 5.4 (Medium)

CVE-2026-53949

github.com/tryghost/ghost

Ghost Content API filter bypass reveals private fields

yesterday

Fix available
Severity - 5.3 (Medium)

CVE-2026-53950

github.com/tryghost/ghost

@tryghost/activitypub: XSS in Ghost's ActivityPub client

yesterday

Fix available
Severity - 7.5 (High)

CVE-2026-49980

github.com/rclone/rclone

Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix

yesterday

Fix available
Severity - 9.8 (Critical)

CVE-2026-44017

github.com/docling-project/docling

Docling: Unsafe Zip Extraction in EasyOCR Model Download

yesterday

Fix available
Severity - 7.5 (High)

CVE-2026-44022

github.com/docling-project/docling

Docling: Potential Path Traversal via LaTeX \includegraphics and \input Commands

yesterday

Fix available
Severity - 5.5 (Medium)

CVE-2026-44020

github.com/docling-project/docling

Docling: Unsafe XML Entity Expansion in USPTO Patent Backend

yesterday

Fix available
Severity - 7.5 (High)